TESTED VERSIONS

PRODUCT URLs

DETAILS

While executing a Tj operator on a piece of text contained in a stream, a memory structure
probably containing charset mappings is referenced. No NULL pointer check is made and
since the sturcture is zero initialized this can result in a crash.

The supplied testcase succesfully crashes the sample ixsample application
supplied with the SDK.

In the supplied testcase, after the parser successfully decodes the /FlateDecode
encoded stream data, it proceeds to execute the operators contained whitin.
In this case the decoded stream data is :

At the time of the crash, initial value of ebp at [1] contains the first character of the Tj operator argument, in this case "R", which ends up
in ecx and is subsequently used as an offset into the memory structure at [4]. At [2], value of dl is zero extended into ecx limiting our control over it.
At [3], final value of eax is set from offset 0x1f18 into edx.
Value of eax can be NULL but isn't checked resulting in a near NULL
pointer dereference.

It is worth nothing that when the same memory address is accessed in other parts of the code, the pointer is properly checked beforehand.